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The classical (boolean) notion of refinement for behavioral interfaces of system components is the 
alternating refinement preorder. In this paper, we define a distance for interfaces, called interface 
simulation distance. It makes the alternating refinement preorder quantitative by, intuitively, toler- 
ating errors (while counting them) in the alternating simulation game. We show that the interface 
simulation distance satisfies the triangle inequality, that the distance between two interfaces does not 
increase under parallel composition with a third interface, and that the distance between two inter- 
faces can be bounded from above and below by distances between abstractions of the two interfaces. 
We illustrate the framework, and the properties of the distances under composition of interfaces, with 
two case studies. 

1 Introduction 

The component-based approach is an important design principle in software and systems engineering. In 
order to document, specify, validate, or verify components, various formalisms that capture behavioral 
aspects of component interfaces have been proposed |l2l[l4l[l5l[T7l- These formalisms capture assump- 
tions on the inputs and their order, and guarantees on the outputs and their order. For closed systems 
(which do not interact with the environment via inputs or outputs), a natural notion of refinement is 
given by the simulation preorder For open systems, which expect inputs and provide outputs, the cor- 
responding notion is given by the alternating simulation preorder [6|. Under alternating simulation, an 
interface A is refined by an interface B if, after any given sequence of inputs and outputs, B accepts all 
inputs that A accepts, and B provides only outputs that A provides. The alternating simulation preorder 
is a boolean notion. Interface A either is refined by interface B, or it is not. However, there are various 
reasons for which the alternating simulation can fail, and one can make quantitative distinctions between 
these reasons. For instance, if B does not accept an input that A accepts (or provides an output that A 
does not provide) at every step, then B is more different from A than an interface that makes a mistake 
once, or at least not as often as B. 

We propose an extension of the alternating simulation to the quantitative setting. We build on the 
notion of simulation distances introduced in |9|. Consider the definition of alternating simulation of an 
interface A by an interface B as a two-player game. In this game. Player 1 chooses moves (transitions), 
and Player 2 tries to match them. Player 1 chooses input transitions from the interface A and output 
transitions from interface B, Player 2 responds by a transition from the other system. The goal of Player 1 
is to prove that the alternating simulation does not hold, by driving the game into a state from which 
Player 2 cannot match the chosen move; the goal of Player 2 is to prove that there exists an alternating 
simulation, by playing the game forever We extend this definition to the quantitative case. Informally, 
we will tolerate errors by Player 2. However, Player 2 will pay a certain price for such errors. More 
precisely. Player 2 is allowed to "cheat" by following a non-existing transition. The price for such 
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Figure 1: Example 1 



transition is given by an error model. The error model assigns the transitions from the original system 
a weight 0, and assigns the new "cheating" transitions a positive weight. The goal of Player 1 is then 
to maximize the cost of the game, and the goal of Player 2 is to minimize it. The cost is given by an 
objective function, such as the limit average of transition prices. As Player 2 is trying to minimize the 
value of the game, she is motivated not to cheat. The value of the game measures how often Player 2 can 
be forced to cheat by Player 1. 

Consider the example in Figure [T] The two interfaces on the left side (IntA and IntB) represent 
requirements on a particular component by a designer. The three interfaces (Intl, Int2, and Int3) on 
the right side are interfaces for different off-the-shelf components provided by a vendor. We illustrate 
how interface simulation distances can be used by the designer to choose a component whose interface 
satisfies her requirements most closely. Interface Intl is precisely the interface required by IntB, so the 
distance from IntB to Intl will be 0. However, the distance from IntA to Intl is much greater. Informally, 
this is because Player 1 , choosing a transition of IntA could choose the b ? input. Player 2, responding 
by a transition of Intl has to cheat by playing the a? input. After that. Player 1 could choose the e! 
output (as a transition of Intl), and Player 2 (this time choosing a transition from IntA) has to cheat 
again. Player 2 thus has to cheat at every step. Interfaces Int2 (resp. Int3) improve on Intl (with respect 
to requirement IntA), by adding inputs (resp. removing outputs). The distance from IntA to Int2 (Int3) is 
exactly half of the distance from IntA to Intl. The interfaces Int2 and Int3 have distance to IntB. Int2 
and Int3 satisfy the requirements IntA and IntB better than the interface Intl. 

The model of behavioral interfaces we consider is a variant of interface automata Q. This choice 
was made for ease of presentation of the main ideas of the paper. However, the definition of interface 
simulation distance can be extended to richer models. 

We establish basic properties of the interface simulation distance. First, we show that the triangle 
inequality holds for the interface simulation distance. This, together with the fact that reflexivity holds 
for this distance as well, shows that it is a directed metric f5 |. Second, we give an algorithm for calcu- 
lating the distance. The interface simulation distance can be calculated by solving the value problem in 
the corresponding game, that is, in limit-average games or discounted-sum games. The values of such 
games can be computed in pseudo-polynomial time ITSl . (More precisely, the complexity depends on 
the magnitude of the largest weight used in the error model. Thus the running time is exponential in the 
size of the input, if the weights are given in binary.) 

We present composition and abstraction techniques that are useful for computing and approximating 
simulation distances between large systems. These properties suggest that the interface simulation dis- 
tance provides an appropriate basis for a quantitative analysis of interfaces. The composition of interface 
automata, which also composes the assumptions on their environments, was defined in [2J. In this paper, 
we prove that the distance between two interfaces does not increase under the composition with a third 
interface. The technical challenges in the proof appear precisely because of the involved definition of 
composition of interface automata, and are not present in the simpler setting closed systems of ||9J. We 
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also show that the distance between two interfaces can be over- or under- approximated by distances 
between abstractions of the two interfaces. For instance, for over-approximation, input transitions are 
abstracted universally, and output transitions are abstracted existentially. 

We illustrate the interface simulation distance, and in particular its behavior under interface compo- 
sition, on two case studies. The first concerns a simple message transmission protocol over an unreliable 
medium. The second case study models error correcting codes. 

Summarizing, this paper defines the interface simulation distance for automata with inputs and out- 
puts, establishes basic properties of this distance, as well as abstraction and compositionality theorems. 
Related work. The alternating simulation preorder was defined in ||6l in order to generalize the simula- 
tion preorder to input/output systems. The alternating simulation can be checked in polynomial time, as 
is the case for the ordinary simulation relation. Interface automata have been defined in [2 1 to facilitate 
component-based design, and the theory was developed further, e.g., in |[T3l l4l [miT6l . The natural no- 
tion of refinement for interface automata corresponds to the alternating simulation preorder. Simulation 
distances have been proposed in {W\ (the full version was published recently in [10^) as a step towards 
extending specification formalisms and verification algorithms to a quantitative setting. This paper ex- 
tends the quantitative notion of simulation distances to the alternating simulation preorder for interface 
automata. 

There have been several attempts to give mathematical semantics to reactive processes based on 
quantitative metrics rather than boolean preorders |7, 1]. In particular for probabilistic processes, it is 
natural to generalize bisimulation relations to bisimulation metrics |fT2l. and similar generalizations can 
be pursued if quantities enter through continuous variables, such as time HI. In contrast, we consider 
distances between purely discrete (non-probabilistic, untimed) systems. 

2 Interface Simulation Distances 
2.1 Broadcast Interface Automata 

Interface automata were introduced in [2] to model components of a system communicating through 
interfaces. We use a variant of interface automata which we call broadcast interface automata (BIA). 

A broadcast interface automaton F is a tuple {Q,q^ ,5) consisting of a finite set of states Q, 
the initial state two disjoint sets A' and A^ of input and output actions and asetScgxAxQ 
of transitions. We let A = A^ VJA^ . Additionally, we require that F is input deterministic, i.e., for all 
q,q' ,q" ^ Q and all Oi G A^ if there are transitions {q,aj,q') and {q,ai,q") G 5, then q' = q". 

Given a state q £ Q and an action a € A let post(^, a) = {q' \ {q, G,q') G 5}. Similarly given a state 
q ^ Q let A^(^) be the input actions enabled at state q (A'^(^) for output actions). Note that the BIA is not 
required to be input-enabled, hence there may be states q where A\q) ^ A^. 

An example of a BIA can be seen on Figure [T] The actions terminated by the ?(!) symbol are input 
(output) actions, respectively. The BIA IntA can input al or bl. Depending on the input it can output c! 
or e! (c! or (i!, respectively), and this repeats forever. 

There are two differences between standard interface automata and BlAs . First, the communication 
paradigm in interface automata is pairwise, i.e., an output from a component can serve as the input to 
only one other component. However, in BlAs the communication model is broadcast, i.e., an output from 
a component can serve as input for multiple different components. Second, standard interface automata 
have hidden (internal) actions, which are omitted from the definition of BlAs. These modifications were 
introduced in order to simplify the presentation of the interface simulation distance, and to enable us to 
clearly express the principal ideas. The distance can be defined for richer models of automata with inputs 
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and outputs, including for standard interface automata. 

Alternating Simulation. Given two BIAs F and F', a binary relation on states h'-Z Qf x Qf' is an 
alternating simulation by F of f if g ^ q' implies: 

1. for all Gi € A\q) and r G post(^, a/), there exists a state / G post(^', a/) such that r^r'; 

2. for all Oo G A'^(^') and / G post(^', Oq), there exists a state r G post(^, ao) such that r^r' . 
A BIA F' refines a BIA f (written F h F') if 

1- C A^, andA^ DA^,; 

2. there exists an alternating simulation ^ by F of F' such that q^p >z q%- 

The intuition behind the above definitions is that when F >z F', the component F in a system can be 
replaced with component F' without leading to any erroneous behavior. 

Consider the BIAs IntB and Intl in Figure [T] Note that Intl refines IntB, i.e., IntB ^ Intl. One can 
easily observe that the converse is not true. 

Composition of BIAs. When composing BIAs it is required for the inputs (outputs) of the two automata 
not to mix, i.e., two BIAs F and G are composable if Ap n A^ = and Ap H A^ = 0. For two composable 
BIAs F and G we let shared{F, G)=Af DAg- 

Whenever there is an action a G shared{F,G) the composed system makes a joint transition and the 
output action remains visible. Finally, the composition of two composable B/A^ F = {QF,1f,Ap,Ap, 5f) 
and G = {QG,q%A'Q,A^, 5g) is a BIA F0G= {Qf^g,(1%g^^f»g^^f»g^ »g) where the states of the 
product QF(g)G are Qf x Qg, with the initial state qp^G ~ (If^Ig)- product input(output) alphabet is 
Ap^Q = A^ U A^ \ shared{F, G) {A^^^q = A^ U A^), respectively. The transition relation Sf^G contains 
the transition {{q,r),a,{q' ,r')) iff 

• a shared{F, G) and {q,a,q') G df and r = /, or 

• a shared{F, G) and (r, a, /) G 5g and q = q', or 

• a G shared{F,G) and {q,a,q') G df and (r, a,/) G 5g- 

Given two composable BIAs F and G, a product state {p,q) is an error state of the prod- 
uct automaton F (g) G if there exists a shared action a G shared{F,G) such that a G Ap{p) 
and a A^(^) or a G A^(<7) and a A^(;7). A state {p,q) of the product automaton 
is compatible if no error state is reachable from the state {p,q) using only output actions. 
A state that is not compatible is incompatible. 
Two BIAs F and G are compatible iff the initial 

state of their product automaton F (g) G is com- /^^^^k^ C~}~~?C~} 

patible (denoted by F ~ G). The product of two O)'^^ 'O'^^C' ^X^' ^ 

compatible automata F and G restricted to com- y /' (^ermr state 

patible states is denoted by F 11 G and is obtained ^-^ 
from F (g) G by removmg mput action transitions 

that lead from compatible to incompatible states. 

. .. rnrx 7- J 7-/ J .1 Figurc 2: Compositiou of B/A^ 

A composition of BIAs F and F and the com- 
posed interface F || F' restricted to compatible states can be seen on Figure |2] Actions a and c become 
shared actions in the composition and the composed interface makes a joint transition on these actions. 
Note that when constructing the product F F' an error state is reachable, therefore the input transition 
{bl) leading from a compatible to an incompatible state is removed from the product F || F'. 

2.2 Graph Games 

In this section, we introduce concepts from the theory of 2-player graph games that are necessary for the 
exposition. A game graph is a tuple H = {S,Si,S2,E,Si), where 5 is a finite set of states, F C 5 x 5 is a 
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set of edges, Si G S is an initial state, and Si and ^2 partition the state space S into Player 1 and Player 2 
states respectively. The game proceeds as follows: First, a token is placed on the initial state Si. Now, 
whenever the token is on a state s £ Si, i £ {1,2} Player / picks a successor s' of s and the token is moved 
to the state s', and the process continues infinitely. The result p = poPi ... of an infinite sequence of 
visited states is called a play. The set of all plays is denoted by 

Strategies. A strategy for Player i is a recipe for Player / to choose the next transition. Formally, a 
Player / strategy n' :S* ■ Sj — S is a function such that for all w G S* and s G Si, we have {s, 7l^{w-s)) G E. 
We denote by n', the set of all Player / strategies. The string w is called the history of the play and s is 
the called the last state of the play. 

We define two restricted notions of strategies that are sufficient in many cases. A strategy is: 

• Positional or memoryless if the chosen successor is independent of the history, i.e., for all w G S*, 
n'{w-s) = 7i'{s). 

• Finite-memory if there exists a finite memory set M and an initial memory state mo G M, a memory 
function jj. : S* xM ^ M, and a move function v : M x S, — )■ S such that: (a) ii{e,mo) = mo and 
}i.{w-s,mQ) = iJ.{s,ix(w,mo)); and (b) n'{w-s) = v{lx{w,mo),s). Intuitively, (a) the state of the 
memory is updated based only upon the previous state of the memory and the last state of the play; 
and (b) the chosen successor depends only on the state of the memory and the last state of the play. 

A play p = poPi ... is conformant to a Player / strategy n' if for every py G Si, we have 7r'(po • • • Pj) = 
Pj+i- Given a game graph H and strategies and tt^ for Player 1 and Player 2 respectively, we get a 
unique path OutniTi^ , tt^) that is conformant to both of the strategies. 

Objectives. A boolean objective C 11 denotes that Player 1 wins if the resultant play p is in and 
that Player 2 wins otherwise. A Player / winning strategy is one for which all plays conformant to it are 
winning for Player /. We deal with only the reachability boolean objective. Given a set of target states 
T CS and a play p = poPi . . ., p G Reachj if and only if 3/ : p,- G T. 

A quantitative objective is a real-valued function / : Q — > M and the goal of Player 1 is to maxi- 
mize the value of the play, whereas the goal of Player 2 is to minimize it. We consider the following 
quantitative objectives: Given a weight function ft) :£■—;• M, we have 

• LimAvg(p) =liminfi- ^ w((p,-,p,+i)) 

,=0 

• Discxip) = lim A' • w((pi,p;+i)) 

Given a quantitative objective / and a Player 1 strategy , the value of strategy 7i\ denoted 
by Vi{n^ G n^) is inf;j2gn2 f{OutH{7l^,7l^))- Similarly, value V2(^^) of a Player 2 strategy is 
sup^ig]-[i/(0Mfi/(;r\7r^)). The value of the game is defined as supjj.ig]-[i Vi(7r^) or equivalently, 
sup^r'en' irif;r2en2 v{0utH{7i^ , TT^)). A Strategy is optimal if its value is equal to the value of the game. We 
conclude this section by stating the memoryless-determinacy theorems for LimAvg and Disc objectives 
(see e.g.|18|). 

Theorem 1. For any game graph H and a weight function ft), we have that 
sup^igniinf;j2gn2/(OMf//(;r\7r2)) = mf^i^Yi^swpj^i^^i f{OutH{K\K^)) for f G {LimAvg, Disc). 
Furthermore, there exist memoryless optimal strategies for both players. 

2.3 Interface Simulation Games 

Simulation like relations can be characterized as the existence of winning strategies in 2-player games 
known as simulation games. Here, we present the analogue of simulation games for alternating simula- 
tion of BIAs. 
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Alternating Simulation Games. Intuitively, given BIAs F and F', Player 1 picks either an input transi- 
tion from the F or an output transition from F', and Player 2 has to match with a corresponding transition 
with the same action from F' or F, respectively. We have F ^F' if and only if Player 2 can keep matching 
the transitions forever. 

GivenSM^F = {Qf,q%A'p,A^,5F) and F' = {QF',q%,A'p,,A'^,,5f'), suchthatA^ CA^, andA^ D 
Ap,, the alternating simulation game Hf f = {S,Si,S2,E,s^) is defined as follows: 

• The state-space S = S1US2, where = {{s,#,s') \ s ^ Qf,s' & Qf} U {^err} and S2 = {(s,a,s') \ 
seQF,s' eQF',(Te'L}. 

• The initial state is = {q^^#,q%i); 

• The Player 1 edges correspond to: 

- Either input transitions from F\ {s,#,s') — > {t, Oi,s') e E 4^ s ^ t ^ 5f; or 

- Output transitions from F': {s,#,s') {s, Go/) eE 4^s' ^t' e 5f'. 

• The Player 2 edges correspond to 

- Either input transitions from F': (f,(7/,/) — )■ G £ <J4> / — ^ f' G 5^/; or 

- Output transitions from F: [s, <Jo,t') it.#,t') eE 4^s^t eSp. 

• For all states 5 G ^2 if there is no outgoing edge from s we make an edge s — > ^err; and for all states 
J G 5i if there is no outgoing edge from s we make a selfloop on s. 

The objective of Player 1 is to reach the state s^n and the objective of Player 2 is to avoid reaching Jerr- 
We have the following theorem. 

Theorem 2. Given BIAs F and F' and the corresponding alternating simulation game Hf^f'> we have 
that F y F' if and only if Player 2 has a winning strategy in Hf^f'- 

2.4 Quandtatiye Interface Simulation Games 

We aim to establish a distance function between broadcast interface automata that expresses how "com- 
patible" the automata are, even when the standard boolean notion of refinement is not true. In order to 
do that we give more power to Player 2, by allowing him to play actions that are not originally in the 
game. However, to avoid free use of such actions every time Player 2 plays the added action he receives 
a penalty. As we do not want Player 2 to play completely arbitrarily we formalize the allowed "cheating" 
by a notion of input (output) error models. 

An input (output) error model is a function M : A^ x A^ — ^ N U {_L} resp. (A*^ x A*^ — > N U {-L}). 
We require that for all a,b,c € A'{A'^) that M{a,a) = and M{a,b) +M{b,c) > M{a,c). Given a BIA 
F = iQ,^'^A'A'^,5) and an error model M, let the modified system be F(g)M = {Q,q^,A^,A^,5^) with 
a weight function cOm : ^ N, where the terms are defined as follows: 

• {s,a2,t) eS" {{s,(yi,t) g 5 AM(ai,a2) / ±) ; 

• C0Miis,(J2,t))=mmi^,„^,-j^5{M{oi,O2)}; 

Note, that the automata enhanced with input error models are not BIAs as they may not be input de- 
terministic. However, all the definitions for BIAs can be naturally interpreted on a BIA composed 
with an error model. Given two BIAs F with an output error model Mq and F' with an input er- 
ror model Mj we construct a game IIf(^Mo,f'®m, for systems F ®Mo and F' ®Mi similarly as is de- 
scribed for BIAs in the previous subsection. We measure the "cheating" performed by Player 2 as 
either the limit-average or the discounted sum of the weights on the transition. The transitions go- 
ing out from Player 1 states get weight with an exception of the selfloop on Serr state that gets the 
maximal weight assigned by the error model. The weight of an edge from a Player 2 state is ei- 
ther (a) twice the weight of the corresponding F' (g)M/ transition when matching inputs; or (b) twice 
the weight of the corresponding F (g) Mq transition when matching outputs. The factor 2 occurs due 
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to normalization. Given two BIAs F and F', a quantitative objective / G {LimAvg, Disc^} and 
an input (output) error model Mi{Mo), the interface simulation distance {F ^ Mj,F' ^ Mq) is de- 
fined to be the value of game Flpt~QMo,F'®Mr Consider again the example in Figure [Tj when us- 
ing error models that can play input (output) actions interchangeably by receiving penalty 1. The 
distances d among the systems for the quantitative objective LimAvg are presented in Table [T] 
The result <i(IntA, Intl) = 1 is surprising when comparing to simulation where the distance would be 
0. The high distance is due to the alternating matching. Player 1 chooses to play input bl in IntA. 
Player 2 has no choice but to respond by bl and receiving the first penalty. Again Player 1 plays the 
e\ output action forcing the second Player 2 to cheat again. By repeating these transitions Player 1 can 
force Player 2 to receive a penalty in every turn and therefore the distance is 1. The distance can be 
improved by adding an bl input action as is shown in the case of Intl, where the distance has decreased 
to 1/2. Player 2 can now match every possible input, but fails to react on the e\ output action. Player 1 
can ensure the value 1/2 by playing bl a.n e\ repeatedly. The second option to improve the distance is 
to remove some of the output edges as is shown in Int3. Player 2 still cannot match the input bl but can 
respond to c! without receiving any penalty. As in the previous case playing a sequence b7,cl ensures 
value 1/2 for Player 1. 



2.5 Complexity 



By the results presented in 111811 the complexity of finding the value of the 
game for LimAvg objective is in ^(| • l^l • W), where \V\is the number of 
game states, \E\ is the number of edges and W is the maximal non-infinite 
weight used in the game. In our case for BIA F = {Qf,qp,Ap,Ap,5f) and 
G = {QG,(lQ,A^(y,A^, 5c) and error model Mo,Mj, the number of states in 
the game Hp^Mofim, is \Qf\ • |2g| • (|Af| + \Ag\ + 1) + 1 and the number 
of edges is bounded by \V\'^. The algorithm for Disc^ given a fixed A is in PTIME by a variation of an 
algorithm presented in JTSl . 
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Table 1: Ex. 1 



3 Properties of Interface Simulation Distances 

In this section, we present properties of the interface simulation distance. The distance satisfies the 
triangle inequality and does not increase when BIAs are composed with a third interface. Moreover, the 
distance can be bounded from above and below by considering the abstractions of the systems. 



3.1 Triangle Inequality 

The triangle inequality is the quantitative analogue of the boolean transitivity property. We show that the 
interface simulation distance is a directed metric, i.e., it satisfies the triangle inequality and the refiexivity 
property. The proof is similar to the case of pure simulation distances presented in f9\. 

Theorem 3. For f G {LimAvg, Disc^} the interface simulation distance d^ is a directed metric, i.e.: 
1. For all error models Mi , Mq and BIAs F[,F2, F^ we have: 



d^{Fi <E>Mo,F3 (E>Mi) < d^ (Fi ®Mo,F2®Mi) + d^ {F2 0Mo,F3 0Mi) 



2. For all error models Mj , Mq and BIAs F we have d^ {F Mq ,F ®Mi) =0. 
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3.2 Composition 

In this part we show that the distance between two BIAs F and F' does not increase when both are 
composed with a third BIA G, when using the same error models Mq, Mj. 

As we want to use the same output error model Mq in F and f || G (similarly Mj in F' and F' \\ G), 
we restrict the error models. Assume 0\ ^ O2, then: 

• IfMo(ai,a2) /-L,thena2 GA^||^\Ag. 

• If M/(ai,a2) / -L, then 02 e A^/||g\^g- 

Remark 4. By the above restriction on the error models, we get = A^^^^ and A^ = A^^^^. There- 
fore, we get that F ®Mo and F' 0Mi are composable with G ifF and F' are composable with G. 

The following lemma establishes that extending F with the error model does not change compatibility 
with G. Note that this would not be the case if the assumption on the error models was violated. 

Lemma 5. For all BIAs F,G and error model Mj,Mo, ifF is compatible with G, then F ®Mo{Mi) is 
compatible with G. 

The proof for the output error model Mq follows easily from the fact that any sequence of output 
actions in {F '^Mq) G can be replayed in F (g) G by replacing those actions that are added by the error 
model in F (>SiMo with the original transitions from F. The case of input error model follows directly 
from the definition. 

First, we establish the following preliminary lemma in anticipation of the main theorem. We need 
to show that property of incompatibility and of being error states is preserved even when the BIAs are 
extended with error models. 

Lemma 6. Let F, F', and G be BIAs with shared(F',G) C shared(F, G), and Mo,Mj error models. 
Suppose that {p',q) is a state in (F' ^G) ®Mi and p ^ p' for some alternating simulation relation 
yCQfX Qpi between F 0Mo and F' 0Mi. Then, 

1. {p',(]) is an error state, then {p,q) is an error state; 

2. {p',q) is an incompatible state, then {p,q) is an incompatible state. 

Proof. 1. From the definition of an error state, it follows that there exists an action a € 
shared{F' ,G) C shared{F,G) such that either, 

• a G A^,(/7') andc? 0A^(^), or 

• aeA^{q) and a ^A'p;{p'). 

In the former case a.s p >z p', we have a G Ap{p), hence {p,q) is an error state. In the latter case 
from a ^Ap,{p') and ph p' follows that a ^ Ap{p) and again {p,q) is an error state. 
2. If {p',q) is an incompatible state in {F' G) ®Mi, it follows that an error state is autonomously 
reachable from {p' ,q) using only output actions. As p ^ p' the same sequence of actions can be 
replayed from the state {p,q): (i) the actions that change only the G component of the state are the 
same, and (ii) the actions that change the F' component can be simulated inF as p>z p'. We have 
either (a) that the replayed sequence reaches an error state before the end; or (b) the last reached 
state is an error state. The claim (b) follows from the previous part 1. In both cases, we get the 
required result. 

□ 

The following lemma states that the broadcast interface automata enhanced with error models have 
the same properties on composition as interface automata. Note that the restrictions on error models 
imply that the BIA composed with an error model remains input deterministic on shared actions. Due to 
this fact the proof is a variation of a similar result for interface automata presented in 131 . 
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Lemma?. Consider three BIAs F,G, and F' with input (output) error models M[{Mo), suchthat F ®Mo 
and G are composable and shared(F',G) C shared(F, G). If F ^Mq ~ G and F ^Mq ^ F' ®Mi, then 

F' r^G. 

Finally, we can prove the main theorem, showing that composition with a third interface can only 
decrease the distance. In the game between the composed systems, we construct a Player 2 strategy that 
(a) for the first component, use the Player 2 strategy from the game FlF^Mo,F'®Mn ^''^'^ (b) "^^e second 
component, copies the Player 1 transition. 

There are two obstacles to this scheme of using the Player 2 strategy in the first component: (a) some 
of the actions become shared actions; and (b) some of the states of the composed system may become 
unreachable due to their incompatibility. Using Lemma[6]and Lemma[5j we will overcome the obstacles. 

Theorem 8. Consider three BIAs F, G, and F', a quantitative objective f G {LimAvg,Disc x}, and input 
(output) error models Mj, Mq such that F and G are composable, compatible, and shared(F',G) C 
shared(F,G). Then, 

d^'{F(g)Mo,F' (g)Mi) >df{{F \\ G)®MoAF' \\ G)®Mi). 
Proof. We split the proof into two cases. 

(a) Player 2 cannot avoid reaching Sen- state in the game Hf^jMo.f'^Mi- This is the easier case and we will 
not present the details here. 

(b) Player 2 can avoid reaching the Serr state in the game Hf0Mo,f'0M,- We get that F' ®Mj refines 
F iS>Mo- Let >z' be the maximal alternating simulation relation and furthermore, let be the optimal 
positional Player 2 strategy in the game. By Remark [4] we get that F ^Mq is composable with G, from 
Lemma[5]it follows that F(8)Mo is compatible with G and finally by Lemma|7]we get that the composition 
F' II G is not empty. 

Using the relation we define an alternating simulation relation ^* by (f || G) ^Mq of {F' \\ 
G)®Mi as follows: 

{p,q) {r,s) 4^ p r A q = s for p and r states of F and F' and q and s states of G 

We construct a positional Player 2 strategy in the game ^(f||g)®a/o.(^''I|g)®a^/ based on the strategy 
71^, such that for all Player 1 strategies the strategy will ensure that f{out{n^,n^)) < d^{F ^ 
Mo,F'0Mi). 

We will match actions in the first component using the strategy 7i^. Actions from the G component 
are going to be copied directly. This will ensure that every reachable Player 1 state {{p,q),#,{r,s)) 
satisfies {p,q) ^* {r,s). We have the following cases based on the kind of transition chosen by Player 1: 

• Unshared actions from G: If Player 1 chooses the state {{p,q'),ai,{r,s)), we have 
n^{{{p,q'),ai,{r,s))) = {{p,q'),#,{r,q')). This is possible as q = s. Similarly for a state 
{{p,q),ao,{r,s')) we define n^{{{p,q),ao,{r,s'))) = {{p,s'),#,{r,s')) 

• Unshared input action from F: If Player 1 chooses the state {{p' ,q),aj,{r,s)), we have 
7i^{{{p',q),ai,{r,s))) = {{p',q),#,{r',s)) if nl{p' ,Oj,r) = We have to make sure that 
the transition {{r,s),aj, (j'',^)) is not removed to ensure compatibility. In that case, from Lemma[6] 
and the fact that {p,q) ^ *{r,s), we would have that {p,q) is an incompatible state. However, the 
transition from compatible to incompatible state in the (F || G) (^Mq component is possible only 
by a Player 1 transition. Therefore, we have that Player 2 will not play an incompatible transition 
if Player 1 does not play an incompatible transition. 

• Unshared output action from F': This case is similar to the previous, but simpler as output 
transitions are not removed to ensure compatibility. 
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• Shared output action (input from G): If Player 1 chooses the state {{p,q),Oo, (r',>s')), we have 

nH{{p,q),ao,{r',s'))) = {{p',s'),#,{r',/)) ifnUp,ao,r') = {p',#,r'). 

• Shared output action (output from G): This case is the trickiest due to the need to simulate 
inputs in the first component the "wrong" way (from F' to F). 

If Player 1 chooses the state {{p,q),Go,{r' ,s')), we have 7i'^{{{p,q),ao,{r' ,s'))) = 
{{p',s'),#, {r',s')) where p' is the unique state reachable from p on the action Gq. The existence 
of this action is argued here. 

- Firstly, due to input determinacy on shared actions, at most one state is reachable from p on 
action Oq- Furthermore, there can be no transitions with action Oq added by Mj as Oq is 
shared with G. 

- Second, assuming that ip,q) is compatible, we have that at least one state is reachable from 
p on action Oq- As in the above cases, we can argue that {p,q) is compatible. 

In the game HF(^Mo,F'®Mn '^^^ translate this step as follows. From {p,#,r), Player 1 chooses 
the successor {p',(7o,r) (note that Oq is an input action for F and F'); and then, 7l^{{p', Oq, r)) = 
{p' ,#,r'). The justification is as follows: Since, s^rr is not visited, 71^ has to choose a successor 
with the transition symbol Oq (which is uniquely p', as above). 
Let be an arbitrary Player I strategy. If we consider the play p = out{n^ , n^), (a) If the first case 
from the 5 above occurs, the transition weight is 0; and (b) For any of the other cases, the transition 
weight is the same as weights from a play p' in Hf^Mo-F'^M, conformant to n^. 

Therefore, we have that weights in p are weights in p', interspersed with some weights. Hence, we 

get 

d^iiF II G)®Mo,(F' II G)®Mi)<f{p')<f{p) < v{nl) = {F ®Mo,F' ®Mi) 
proving the required result. □ 



3.3 Abstraction 

In the classical boolean case, systems can by analyzed with the help of sound over- and under- 
approximations. We present the quantitative analogue of the soundness theorems for over- and under- 
abstractions. The distances between systems is bounded by the distances between their abstractions. 

Given aBIAF = (Q, q^,A'A^, S) a V3 abstraction is a BIA F^^ = (5, [q^] ,A',A", 5^^), where 5 are 
the equivalence classes of some equivalence relation on Q and 

5^^ = {{s,(yi,s')\(yieA' aadyqes,3q' es' ■.{q,(yi,q')e5}[J 
{{s,(Jo,s') \ooeA^ and 3q G s,3q' G s' : {q,(Jo,q') G 5} 

Similarly we define the 3V abstraction BIA with the transition relation defined as follows: 

= {{s,Gi,s')\GieA' and3qes,3q' es' :{q,(Ji,q')e5}U 
{{s,(7o,s') I (To G and G s,3q' G s' : {q,(7o,q') G 5} 

Theorem 9. Let f be one of the objectives in {LimAvg,Discx} and F, G be arbitrary BIAs with Mo,M[ 
as error models, then the following inequalities hold: 

d^ {f"^^ <^Mo, ®Mi) < d{F 0Mo,G0Mi) < d^ {F^^Mq, G'^^^Mi) 
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Proof. Let TT^ be the optimal positional Player 2 strategy in the game Hf0Mo,G0M, we construct a posi- 
tional Player 2 strategy in ^^vs^^i^^ gsv^,^, that is going to ensure the needed value. When defining 
the strategy, we need to distinguish between two cases: 

Input actions Let the state be {sf,Oi,sg) for some Oj G A^. We pick a state qp G Sf and qc G sq 
such that strategy can ensure the value from the state {qf,aj,qG)- Let reach state {qF,#,q'Q) by 
playing action a/. Then plays action Oj to a state {sf,#, ). 

Output actions Similarly as in the previous case let the state be (if , ac^o) for some Oq G A*^. We 
pick a state qp ^ Sf and £ ■^'g such that strategy ensures the value from the state {qp ,(^o^(1g)- If 
the state reached by is {q'f,#,qG) then reaches a state {[q'f],#,qG)- 

From every play conformant to we can extract a play conformant to tt^ such that their values are 
equal. This concludes the first inequality. The proof of the second inequality is similar, but considers the 
optimal Player 1 strategy. □ 



4 Case Studies 

We present two case studies illustrating the interface simulation distances framework. In the first one, we 
describe a message transfer protocol for sending messages over an unreliable medium. This case study 
also serves to illustrate the behavior of the distance under interface composition. The second case study 
is on error correcting codes. In both cases, we use the limit average objective. 

4.1 Message Transmission Protocol 

Consider a BIA Send in Figure [3] It receives a message via the input send?. 
It then tries to send this message over an unreliable medium using the output 
transmit!. In response to transmit?, it can receive an input ack? signifying 
^-x v-x successful delivery of the message, or an input nack? signifying failure. It 
V_J v_y v_y can then try to transmit! again (unboundedly many times), or it can abort 

using the output abort!. Send will be our specification interface. 

We consider two implementation interfaces SendOnce and SendTwice 
igure . en (Figures |4] and [5]l. 5e?i(iC??ice tries to send the message only once and if it 
does not succeed it reports a failure by sending fail! output. The second implementation SendTwice 
tries to send the message twice and it reports a failure only if the transmission fails two times in a row. 
These implementation interfaces thus differ from the specification interface which can try to transmit 
the message an unbounded number of times. In particular, SendOnce or SendTwice do not refine the 
specification Send in the classical boolean sense. 

In order to compute distances between Send on one hand, and SendOnce and SendTwice, we first 
define an error model. The output error model Mq we consider allows to play an output action fail! 




Figure 4: Implementation SendOnce Figure 5: Implementation SendTwice 
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instead of abort! with penalty 1. We construct two games: Hsend(g)Mo,SendOnce and Hsend^Mo,SendTwice- 
The goal of Player 1 is to make Player 2 cheat by playing abort! as often as possible. Therefore, 
whenever Player 1 has a choice between ack? and nack? the optimal strategy is going to play nack?. 
This agrees with the intuition that the difference between Send and SendOnce (SendTwice) is manifested 
in the case when the transmission fails. 

The resulting distances are d {Send 0Mo, SendOnce) = ^ and d {Send ^ Mq, SendTwice) = g. Ac- 
cording to the computed distances SendTwice is closer to the specification than SendOnce, as it tries to 
send the message before reporting a failure more times. 

In order to illustrate the behavior of the interface simulation distance under composi- 
tion of interfaces, we compose the interfaces Send, SendOnce, and SendTwice with an inter- 
face modeling the unreliable medium. The interface Medium in Figure |6] models an inter- 
face that fails to send a message at most two times in a row. The resulting systems Send \\ 
Medium, SendOnce \\ Medium and SendTwice \\ Medium can be seen on Figure |9} |7] and [8] 

Again we can construct two games and compute their values. We obtain: 
d{{Send \\ Medium) ^ Mq, SendOnce \\ Medium) = ^, and d{{Send \\ 
Medium) ® Mq, SendTwice \\ Medium) = . As expected, when the 
Medium cannot fail two times in a row the implementation SendTwice 
is as good as the specification and therefore the distance would be 0. We 
remark that if we would change the model of the Medium to the one that 




Figure 6: The Medium 
never fails, both the distances would be 0. 



-o- 



-o 



/ 



Figure 7: The SendOnce \\ Medium 



Figure 8: SendTwice \\ Medium 




4.2 Error Correcting Codes 

Error correcting codes are a way to ensure reliable information 
transfer through a noisy environment. An enor correcting code 
is for our purposes a function that assigns every binary input 
string a fixed length codeword - again a binary string — that 
is afterwards transmitted. A natural way how to improve the 
chances of a correct transfer is to encode each message into a 
codeword by adding redundant bits. These codewords might 
get corrupted during the transmission, but the redundancy will 
cause that codewords are not close to each other (according to 
Hamming distance), and therefore it is possible to detect erro- 
neous transfer, and sometimes even to correct some of the errors. Note that in what follows, we consider 
a situation where the only type of error allowed during the transmission is a bit flip. 

We consider the well-known standard {n,M,d)-code, where n is the length of the code words, M is 
the number of different original messages, and d is the minimal Hamming distance between codewords. 
For instance, if we are given an error correcting code such that the minimal distance between codewords 
is 3 (i.e. an (?i,M, 3)-code for some n and M), then whenever a single bit flip occurs we receive a string 
that is not among the codewords. However, there exists a unique codeword such that it has the minimal 



Figure 9: Send \\ Medium 
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distance to the received string. The received string can be then corrected to this codeword. 

We consider two different error correcting codes Ci and C2. Both codes encode 2 bit strings into 5 
bit codewords. The codes are given in the following table: 

Ci(OO) = 00000 Ci(Ol) = 00101 C2(00) =00000 C2(01) = 01101 

Ci(10) = 10110 Ci(ll) = 11011 C2(10) = 10110 C2(ll) = 11011 

Note that Ci is a (5,4,2) code, i.e., its codewords have length 5, it encodes 4 words and the minimal 
Hamming distance between two codewords is 2. The minimal distance 2 ensures that when decoding the 
codeword a single bit flip can be detected, however, not corrected. On the other hand the code C2 is a 
(5,4, 3) code and therefore can detect 2 bit flips and correct a single bit flip. 

We model as BIAs the codes C\ and C2 and their transmission 
over a network where bit flips can occur. We construct the BIAs Fcy \°^^ 

and according to the scheme presented in Figure 10 (this scheme _ _ _ _ 

is inside a loop and thus occurs repeatedly in both the BIAs). The first /\mp' nodp. /\mp' 

action is the input of a two-bit word that should be transmitted. The ...... V~\ 

input word is then encoded according to Ci (in Fc, ), or C2 (in Fc,). V-^ 

noflip! / \flip! 

Then a sequence of five actions flip (or noflip) determines whether 1/ \ 

a bit flip occurs on the corresponding position. Depending on the v_y 

fliplnoflip sequence received and the error correcting code used, the """'/ \^'' 

final output is the decoding of the received string, with possibly some 

of the corrupted bits detected or repaired. More precisely, on an input ""''"J 

X, can detect a single bit flip, and could in this case send an error 

output. In case of more flips, it can even output a symbol different nofiipi^ \fnp! 

from the input x. Similarly, on an input x, Fc^, in case of a single bit 

flip, can detect and correct the bit flip, and output the the message x. If 7^ , 

101 11! 

there are multiple flips it outputs a string different from the input x. As 1 i 

a specification interface, we consider a BIA Fspec that uses the schema 
from Figure 10 but always outputs its input message, no matter what 

sequence of actions, flip or noflip it receives. Figure 10" Code C2 

We compose all three automata with a BIA FErwr modeling the 
allowed number of bit flips. Let FErmr allow only a single bit flip in 5 bits. The output error model Mq 
allows the Player 2 to play all the output 2 bit strings together with the error actions interchangeably. 
Then the corresponding values of the games are as follows: (a) d{{Fcsi,^^ \\ FErwr) x Mo,Fcj \\ FError) = 0, 
and (b) d{{Fcsp^^ \\ FError) X Mo,Fc^ II FError) = 7- This shows the that the code C2 performs better than 
the code Ci , as it can not only detect bit flips, but can also correct a single bit flip. In case we would use 
a FError that could do multiple bit flips in 5 bits, then distances of both codes would be the same. 



5 Conclusion 

Summary. This paper extends the quantitative notion of simulation distances f9l to automata with 
inputs and outputs. This distance relaxes the boolean notion of refinement and allows us to measure 
the "desirability" of an interface with respect to a specification, or select the best fitting interface from 
several choices that do not refine a specification interface in the usual boolean sense. We show that the 
interface simulation distance is a directed metric, i.e., it satisfies reflexivity and the triangle inequality. 
Moreover, the distance can only decrease when the interface are composed with a third interface, which 
allows us to decompose the specification into simpler parts. Furthermore, we show that the distance can 
be bounded from above and below by considering abstractions of the interfaces. 
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Future work. Defining tlie interface simulation distance for broadcast interface automata is one partic- 
ular instance of a more general idea. We plan to examine the properties of the distance on other types 
of I/O automata, with differing notions of composition, with internal actions, or timed automata and 
automata modeling resource usage. Second, we plan to investigate probabilistic versions of the simu- 
lation distances, which would be useful in cases where there is a probability distribution on possible 
environment inputs. Third, we plan to perform larger case studies to establish which error models and 
accumulating functions (LimAvg, Discx, etc.) are most useful in practice. 
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